Front page | perl.perl5.porters |
Postings from August 2008
The code in S_init_postdump_symbols that iterates over the environ array
dereferences the pointer to the current element every operation in that
for block, which leads to a race condition.
Example:
thread 1:
in for loop looking at env var: FOO_VAR
saved '=' character address in s
thread 2:
doing putenv for FOO_VAR
thread 1:
back in the same iteration of the for loop (still FOO_VAR):
(void)hv_store(hv, *env, s - *env, sv, 0);
There's a possibility that in between us saving the address of '=' char
and doing hv_store the value of *env changes to a new address. And then
we can be allocating a really large memory block or a negative one. Both
of those are good reason for Perl malloc to croak and a call like
perl_parse might fail with an "Out of memory!" message printed to
stderr.
I attached a patch that makes a copy of *env before each iteration
instead of dereferencing env at every single operation. This relies on
the agreed upon behavior to never free any memory allocated for vars in
environ, just dropping the old values on the floor (and it'll get freed
exit) when replacing an element of environ. This is the behavior for
putenv/setenv on Linux, Solaris and HP-UX and possibly others. While
this won't fix the issue on systems that don't conform to this behavior
but it'll work a lot better in the corner cases on those systems that
handle it properly.
Cheers,
-- Milosz
Thread Next